The legal side: Brush up on the “do’s and don’ts” of SaaS

By Thomas J. Hall, Of Counsel, Baker, Donelson, Bearman, Caldwell and Berkowitz, PC October 13, 2008

Growth of the Internet, and particularly of reliable broadband connections, opened the way to a new commercial model—Software-as-a-Service (SaaS)—in which the customer pays a relatively small fee to use services provided off-site by a third-party vendor. This model is not entirely new, but not so long ago only major corporations and the government could afford the high-speed connections needed for such services.

The proliferation of high-speed connections now makes it feasible for smaller businesses to take advantage of such services, and vendors have been quick to capitalize on the opportunity. SaaS offerings now include payroll administration; document management; data processing; medical transcription, and more.

The SaaS models offer many attractions—amongst them eliminating the need to buy the latest and greatest hardware and software every few years. In the SaaS model, the vendor makes the capital expenditure, and each customer pays a share of those costs. But that does not mean SaaS comprises the ideal model for your business.

To turn a profit, a SaaS vendor needs to capitalize on economies of scale. The result is a “one size fits all” approach. If your needs require customization, the typical SaaS might not be able to accommodate you. Instead, you may need to go shopping for an application service provider (ASP).

If your provider has a problem, you have a problem, and potentially a large one if you’ve outsourced a “mission-critical” service. What will you do if, for example:

• The communication link between you and your provider fails in the middle of your work day?

• The provider reports that your payroll records are corrupted?

• You watch your provider’s server farm blow away in a tornado?

• Your archives are lost?

• Your records are hacked?

• Your provider sends a short email announcing: “Won the lottery. On my way to Tahiti. It’s been fun.”

• Provider advises that “Your six-month trial rate has ended and the cost will now triple.” (Of course, after six months you are hooked on the service and have let go the personnel who used to do the work in-house).

• Provider 2 has made you a better offer and you want to jump ship.

• Assume you outsourced financial work, such as payroll. How will you ensure compliance with laws and regulation?

Other questions to consider:

• Who will train your personnel?

• Can you guard against major changes in operations or interfaces that would require you to invest in major retraining?

• Can you be certain that the vendor will stay current with the latest and greatest technology?

• Alternatively, do you want to be able to opt out of the latest and greatest?

Recall that a SaaS provider relies on volume to turn a profit. Thus the provider’s offerings will be limited—little or no customization will be allowed. The same considerations apply to the service contract: The number of available options likely will be between few and none. A prospective customer is well advised to study the services offered and the terms of service. If a customer’s needs and a provider’s services are not a good match, moving on may be the customer’s best choice. A SaaS provider’s business model simply will not permit the provider to enter into prolonged negotiations, or to significantly customize their services.

When assessing a SaaS provider, look for:

• A match between the services you need and the services offered.

• Adequate physical and logical security for data and the hardware on which the data resides.

• Adequate nondisclosure agreements executed by vendor’s personnel.

• Adequate warranties regarding data transmission rates and system availability. (A warranty of 99 percent availability is inadequate if that 1 percent falls in the middle of your period of peak use).

• Comprehensive data back-up and disaster-recovery procedures and capabilities.

• Return-to-service provisions that are sound and sufficient to keep you in business.

• Training and technology refresh provisions that meet your needs.

• Warranties that services comply with all applicable laws and regulations.

• Indemnification and hold harmless against third-party claims of intellectual property infringement and against government fines or sanctions for noncompliance.

• Security and privacy procedures consistent with those imposed on you by law or regulation.

• Can you use the service with your current technology? If new technology is needed, will it generate an acceptable ROI?

• Will you really save money/improve efficiency or increase profitability if you outsource versus keep the work in-house?

The new world of SaaS vendors does offer a number of opportunities, but no magic bullet. There is still no substitute for doing one’s homework, carefully and diligently.